For the past year or so, I have been using LastPass as a password manager. I’d like to go over why password managers are important, why you should absolutely start using one if you are not already, and why I ended up with LastPass.
Lets start with the basics: what is a password and why do we use them? Most of our online identities are stored keyed off of usernames and email addresses; that is, the way a website knows who we are is by the username or email address we give it. Unfortunately, both of these things are also generally public knowledge; we reuse usernames across platforms (I am mc706 almost everywhere) and email addresses literally are a public address which messages can reach us on the internet.
So to prove to a service or website that we are who we say we are, and not anybody else in the world who knows who we are, the method we use is passwords. The general idea being, we have a secret string of characters that only we know and do not share with anybody else. That way we can verify the username and password together to prove we are who we say we are.
There are other methods, such as biometrics and key based authentication, but they either add a margin of error, a lot of inconvenience, or both. So we are stuck with our passwords.
Unfortunately, passwords as a means of identity, sucks. One of the simpliest representations on why passwords suck is xkcd’s Password Strength: Further illustrating the point that people suck at passwords where computers are great at guessing them is zxcvbn, a blog post by a dropbox engineer showing how unchaotic our passwords are. In that post, the author cites Mark Burnett’s book: Perfect Passwords: Selection, Protection, Authentication saying:
…, one in nine people had a password in this top 500 list. These passwords include some real stumpers: password1, compaq, 7777777, merlin, rosebud. Burnett ran a more recent study last year, looking at 6 million passwords, and found an insane 99.8% occur in the top 10,000 list, with 91% in the top 1,000.
The problem of passwords sucking is a compound one, made ever more complex in this world of data-breaches such as LinkedIn, Target, Equifax. The majority of passwords we come up for ourselves are either very common amongst other humans or easliy derivible with a little bit of information about the target. Whats worse, most users reuse a small set of passwords (often just 1) across all platforms. Which means even if you have a strong password, if it is compromised by a databreach, the hackers now have your email or username with your password, which probably means they can access the rest of your online identity.
Thus we are left with why passwords suck. Humans are terrible at generating them, and even if we do a decent job, we dont want to remember a ton of them to protect our identity across the internet. We could write them down, but therein lies another security trap, if someone gets access to the physical copies of the passwords we use, it is then the same as having the same password everywhere.
A password manager is a piece of software, that aims to solve this problem in two ways. The first is by giving the ability to generate an arbitrarily complex password when one is required. Want a password that has a very high mathematical probability of being unique for all time? Easy.
The second way it helps alleviate this problem is by storing these passwords, keyed by the site/service and username for that. This way when you go to login somewhere, your password manager can fill in your username and password for you.
Now you may be thinking, isnt the same as writing down all of the passwords on a piece of paper? If someone gets a hold of your master password list, they have complete control of your online idenity. The big difference between using a password manager and writing your passwords down is you can protect your password manager.
The obvious and naive way to protect a password manager is with a password, which would in theory push you right back to the single password problem. One password now protects your entire online identity. The way password managers get beyond this is with Multi Factor Authentication.
Multi Factor Authentication is the perfect mix of secure and convenient. It is not as fullproof as some biometrics or key based authentication, but it offers close to the same convience of a password, as a protection on top of your current password. MFA or sometimes called 2FA (Two Factor Auth), requires a separate device, often the users phone, to generate a code in a known sequence of numbers. Both the service and users device know the starting seed of the sequence, so they will generate the same sequence of numbers. This means in order to log in, a user would need the username/email, the password, and access to the users phone (and their phone unlock password if implemented properly). Adding an entirely new level of authentication makes this very secure.
Password Managers use MFA to protect your password library. This effectively allows you to add the MFA level of security to all of your identity across the internet. So even in a world of data breaches, if your username and password gets stolen, it is easy as autogenerating a new password for that service; the stolen password is not used elsewhere and is useless once the new password is generated.
So in the market of securing your entirely online idendity, there are a few good players. For a full review, I cannot top the wirecutter’s review of password manager., but for the lazy, I will go over the big players.
In 2017, the big players in the space are:
- 1 Password
The factors to consider for a password manager are features such as:
- Platforms Supported (Windows, OSX, iOS, Android, ect)
- Form Filling
- Browser Plugins (autofill in browser when authenticated)
- Mobile App
- Use of fingerprints for unlocking on mobile
For a high level comparison across these features and more, I highly recommend tomsguide.
I chose lastpass because I need cross platform support for window, OSX, and Android. I absolutely wanted to be able to use the fingerprint reader on my Android device to unlock the lastpass app, as well as mfa. Even the free tier gives unlimited devices and sync across platforms. Simply put, the free tier covered all of my needs.
The one caveat that gave me pause was LastPass themselves had a major data breach last year. Luckily it was nothing that a few password resets could get around, but it did have me a bit worried for a while that the keeper of my entire online idenity wasn’t as secure as they were touting.
If you are looking for something a bit more roll your own, I would probably recommend KeePass plus something like Keybase, which would allow you to sync your password database encrypted across devices that you have personally signed. There is a ton more manual setup, but there is no chance of people breaching your data unless you are making some huge security missteps.